Identity Manager 8.1 - Administration Guide for Connecting Unix-Based Target Systems

Managing Unix-Based Systems Setting Up Synchronization with a Unix-Based Target System Base Data for Unix-Based Target Systems Unix Host Unix User Accounts Unix Groups Reports about Unix Objects Appendix: Configuration parameters for managing a Unix environment Appendix: Default Project Template for Unix-Based Target Systems

Effectiveness of Group Memberships

Table 32: Configuration Parameter for Conditional Inheritance
Configuration parameter Effect when set

QER | Structures | Inherite | GroupExclusion

Preprocessor relevant configuration parameter for controlling effectiveness of group memberships. If the parameter is set, memberships can be reduced on the basis of exclusion definitions. Changes to the parameter require recompiling the database.

When groups are assigned to user accounts an employee may obtain two or more groups, which are not permitted in this combination. To prevent this, you can declare mutually exclusive groups. To do this, you specify which of the two groups should apply to the user accounts if both are assigned.

It is possible to assign an excluded group directly, indirectly or by IT Shop request at any time. One Identity Manager determines whether the assignment is effective.

NOTE:

  • You cannot define a pair of mutually exclusive groups. That means, the definition "Group A excludes group B" AND "Group B excludes groups A" is not permitted.
  • You must declare each group to be excluded from a group separately. Exclusion definitions cannot be inherited.
  • One Identity Manager does not check whether membership of an excluded group is permitted in another group (table ).

The effectiveness of the assignments is mapped in the UNXAccountInUNXGroup and BaseTreeHasUNXGroup via the column XIsInEffect.

Example of the effect of group memberships
  • Group A is defined with permissions for triggering requests in a host A group B is authorized to make payments. A group C is authorized to check invoices.
  • Group A is assigned through the department "Marketing", group B through "Finance" and group C through the business role "Control group".

Clara Harris has a user account in this host. She primarily belongs to the department "marketing". The business role "Control group" and the department "Finance" are assigned to her secondarily. Without an exclusion definition, the user account obtains all the permissions of groups A, B and C.

By using suitable controls, you want to prevent an employee from being able to trigger a request and to pay invoices. That means, groups A, B and C are mutually exclusive. An employee that checks invoices may not be able to make invoice payments as well. That means, groups B and C are mutually exclusive.

Table 33: Specifying excluded groups (table AADGroupExclusion))

Effective Group

Excluded Group

Group A

Group B

Group A

Group C

Group B

Table 34: Effective Assignments

Employee

Member in Role

Effective Group

Ben King

Marketing

Group A

Jan Bloggs

Marketing, finance

Group B

Clara Harris

Marketing, finance, control group

Group C

Jenny Basset

Marketing, control group

Group A, Group C

Only the group C assignment is in effect for Clara Harris. It is published in the target system. If Clara Harris leaves the business role "control group" at a later date, group B also takes effect.

The groups A and C are in effect for Jenny Basset because the groups are not defined as mutually exclusive. That means that the employee is authorized to trigger request and to check invoices. If this should not be allowed, define further exclusion for group C.

Table 35: Excluded groups and effective assignments

Employee

Member in Role

Assigned Group

Excluded Group

Effective Group

Jenny Basset

 

Marketing

Group A

 

Group C

 

Control group

Group C

Group B

Group A

Prerequisites
  • The configuration parameter QER | Structures | Inherite | GroupExclusion is enabled.

  • Mutually exclusive groups belong to the same host.

To exclude a group

  1. In Manager, select Unix | Groups.

  2. Select a group in the result list.
  3. Select Exclude groups.

  4. Assign the groups that are mutually exclusive to the selected group in Add assignments.

    - OR -

    In Remove assignments, remove the groups that are not longer mutually exclusive.

  5. Save the changes.

Unix Group Inheritance Based on Categories

In One Identity Manager, groups can be selectively inherited by user accounts. For this purpose, the groups and the user accounts are divided into categories. The categories can be freely selected and are specified using a mapping rule. Each category is given a specific position within this mapping rule. The template contains two tables; the user account table and the group table. Use the user account table to specify categories for target system dependent user accounts. In the group table enter your categories for the target system-dependent groups. Each table contains the category positions Position 1 to Position 31.

Every user account can be assigned to one or more categories. Each group can also be assigned to one or more categories. The group is inherited by the user account when at least one user account category item matches an assigned group. The group is also inherited by the user account if the group or the user account is not put into categories.

NOTE: Inheritance through categories is only taken into account when groups are assigned indirectly through hierarchical roles. Categories are not taken into account when groups are directly assigned to user accounts.
Table 36: Category Examples
Category Position Categories for User Accounts Categories for Groups
1 Default user Default permissions
2 System user System user permissions
3 System administrator System administrator permissions

Figure 2: Example of inheriting through categories.

To use inheritance through categories

  • Define the categories in the host environment.
  • Assign categories to user accounts through their master data.
  • Assign categories to groups through their master data.
Related Topics

Assigning extended properties to a Unix group

Extended properties are meta objects that cannot be mapped directly in One Identity Manager, for example, operating codes, cost codes or cost accounting areas.

To specify extended properties for a group

  1. In Manager, select Unix | Groups.

  2. Select the group in the result list.

  3. Select Assign extended properties.

  4. Assign extended properties in Add assignments.

    TIP: In the Remove assignments area, you can remove the assignment of extended properties.

    To remove an assignment

    • Select the extended property and double click .
  5. Save the changes.

For more detailed information about setting up extended properties, see the One Identity Manager Identity Management Base Module Administration Guide.

Deleting Unix Groups

To delete a group

  1. Select Unix | Groups.
  2. Select the group in the result list.
  3. Delete the group using .
  4. Confirm the security prompt with Yes.

The group is deleted completely from the One Identity Manager database and from Unix.

Related Documents